December 29, 2016

Obama used a cybersecurity link for the first time to warn Russia

(Updated: January 7, 2017)

Shortly before the recent US presidential election, a dedicated cybersecurity hotline with Moscow was used by president Obama to warn the Russian government not to interfere with the election process through hacking operations.

Press reports compared the cybersecurity with the "Red Phone", which many people believe is used on the Hotline between Washington and Moscow. That's not true, and also Obama's message seems not to have been transmitted by phone, but through an e-mail channel which is maintained by the Nuclear Risk Reduction Center (NRRC).

The Nuclear Risk Reduction Center (NRRC) at the US State Department,
which also maintains the cybersecurity communications link
between US and Russian Computer Emergency Readiness Teams(screenshot from a State Department video)

Obama's message

The fact that on October 31, US president Obama sent the Russians a direct message through the cyber channel was first reported on December 16. Three days later, NBC News came with some details about the content of the message. According to anonymous officials, it included phrases like "International law, including the law for armed conflict, applies to actions in cyberspace" and that the US "will hold Russia to those standards."

However, another senior intelligence official told NBC that the message was "muddled" because there was no bright line laid down and no clear warning given about the consequences. According to the official, the Russian response was non-committal. It's worrying that these government officials are leaking the content of the message, thereby undermining the necessary confidentiality of such an important hotline.

Obama's warning message was not about the hacking of the Democratic National Committee (DNC) or of it's chairman John Podesta, which director of national intelligence James Clapper had previously said was conducted with the knowledge of the Russian leadership. Instead, the warning reportedly only referred to the concerns about hacking around the election process itself.

Updates:

On December 29, 2016, the White House announced actions "in response to the Russian government’s aggressive harassment of U.S. officials and cyber operations aimed at our election." As most visible action, 35 Russian intelligence operatives under diplomatic cover were expelled and two Russian compounds were closed, but although that seemed to be a response to the Russian hacking operations, it was actually a retaliation for the harassment of US diplomats over the past 2 years.
Regarding Russian hacking, only several GRU officials, two Russian hackers and a few Russian companies were named. Also some technical information was published in a Joint Analysis Report (JAR) by the FBI and the US-CERT, to identify Russian cyber attacks, but experts considered this information inconsistent and hardly useful.

US president Obama and Russian president Putin during
the G-8 summit in Northern Ireland in June 2013(photo: Kevin Lamarque/Reuters - click to enlarge)

The cybersecurity link

On June 17, 2013, shortly after the start of the Snowden-revelations, the White House announced that during the G-8 summit in Northern Ireland, Russia and the United States had agreed upon several confidence-building measures (CBMs) to reduce the mutual danger from cyber threats. This includes the regular exchange of technical information about malware and other kinds of risks to critical systems, which appear to originate from each other’s territory and/or could be misperceived as an attack.

Besides the information channel via the NRRC, the White House and the Kremlin also agreed to set up a direct secure voice communications line between the US Cybersecurity Coordinator at the White House and the Deputy Secretary of the Security Council of Russia, in case there should be a need to directly manage a crisis situation arising from a cybersecurity incident.

The announcement said that this direct voice line "will be seamlessly integrated into the existing Direct Secure Communication System ("hotline") that both governments already maintain" - which indicates that this line runs over the same redundant and secure satellite link as the Direct Communications Link (DCL, which is the official name of the Hotline) and the Direct Voice Link (DVL) between both heads of state.

We have no information about how this direct cybersecurity voice line is secured, but earlier, similar high-level bilateral telephone links consisted of Secure Telephone Equipment (STE), provided by the US.

Usage

As the press reports say that Obama's message was sent via the NRRC, we have to assume that it was in the form of an e-mail, and not a call through the secure voice channel. It was also reported that "the Obama administration had never used the cyber line before", but it's not really clear whether that means that the president never sent a message this way, or that the system was never used in any way.

The latter would mean that since 2013 no information about suspicious network intrusions has been exchanged between Russia en the US. The secure voice line for cybersecurity incidents has then probably also never been used - this kind of high-level direct phone lines seem rarely used in general.

Watch center of the National Cybersecurity and Communications Integration Center (NCCIC),
which includes the US-CERT. On the right there's an STE secure telephone.(photo: Saul Loeb/AFP/Getty Images - click to enlarge)

The Nuclear Risk Reduction Center

The relay of cybersecurity messages is now one of the tasks of the Nuclear Risk Reduction Center (NRRC), which is located in the US Department of State (DoS). Its Russian equivalent is part of the Russian Ministry of Defence. The Cyber Security Protocol agreed upon in 2013 is the latest of 14 arms control treaties and agreements for which the NRRC exchanges information with more than 55 foreign governments and international organizations.

The NRRC consists of a watch center that operates 24 hours a day, 365 days a year and is staffed by Department of State Foreign Service officers, civil servants, and technical support personnel. They provide and receive inspection notifications, exchanges of data regarding strategic offensive arms, prior notifications of major exercises or unit restructurings, and other treaty-required communications.

The NRRCs were established by an agreement between the United States and the former Soviet Union from September 15, 1987 in order to build confidence through information exchange about their nuclear arsenals. The centers became operational on April 1, 1988. After the split-up of the Soviet Union in 1991 this secure data link, officially called Government-to-Government Communication Link (GGCL), was extended to Ukraine, Belarus and Kazakhstan.

Initially, these communication links consisted of facsimile devices, with (one-time pad) encryption conducted by personal computers and the random keys provided on 5¼ inch floppy disks, just like on the Washington-Moscow Hotline. As of late 1995, the NRRC communications shifted to encrypted e-mail with an additional chat channel for coordination purposes.

State Department video about the Nuclear Risk Reduction Center (2012)(click to play)

Red Phone versus Hotline

It may be more than clear now that Obama's warning message had nothing to do with a "Red Phone", but it should be mentioned that the White House and the military did use red phones, although not for international, but for internal communications between the president and the military command centers. This was achieved through a secure military telephone network: the Defense Red Switch Network (DRSN).

Through popular culture, the image of a red telephone became projected to the direct communications link between Washington and Moscow, but this is false: the Hotline was never a phone line, as it was set up in 1963 as a teletype connection, which in 1988 was replaced by facsimile units. Since 2008 the Hotline is a highly secure computer link over which messages are exchanged by e-mail.

Besides the cybersecurity channels, the NRRC and the Hotline, the US government has two additional channels for direct communications with the Kremlin: the Foreign Affairs Link (FAL) between the State Department and the Russian foreign ministry, and the Defense Telephone Link (DTL) between de defense ministries of both countries. Both are secure phone lines, which also exist with a range of other countries.

This means that president Obama had several other options for transmitting his warning to Russia. It seems the NRRC cybersecurity channel was chosen because it was about the threat of cyber attacks, but still, such a warning message seems not what that channel is meant for, which is the exchange of technical information about actual intrusions that could be misinterpreted as a deliberate attack.

Therefore, the Foreign Affairs Link (FAL) would probably have been more appropriate: US secretary of state John Kerry could have called his Russian counterpart to issue the warning. But generally, for important messages in which every word counts, written communications are preferred, so that left only the NRRC or the Hotline.

Using the Hotline was probably considered too dramatic, and therefore the remaining option was the cybersecurity channel maintained by the NRRC.

US Red Phones

Sequence of the real Red Phones, not for the Washington-Moscow Hotline, but for the US Defense Red Switch Network (DRSN). The phones shown here were in use from the early eighties up to the present day and most of them were made by Electrospace Systems Inc. They will be discussed on this weblog later.

Contact

For questions, suggestions and other remarks about this weblog in general or any related issues, please use the following e-mail address: info (at) electrospaces.net

For sending an encrypted e-mail message, you can use the PGP Public Key under this ID: B4515E04

You can also communicate through Twitter: @electrospaces or XMPP/Jabber chat by using the address electrospaces (at) jabber.de

The title picture of this weblog shows the watch floor of the NSA's National Security Operations Center (NSOC) in 2006. The URL of this weblog recalls Electrospace Systems Inc., the company which made most of the top level communications equipment for the US Government. All information on this weblog is obtained from unclassified or publicly available sources.QW5kIGZpbmFsbHksIHRoaXMgaXMgd2hhdCBhIHRleHQgbG9va3MgbGlrZSwgd2hlbiBpdCdzIG9ubHkgZW5jb2RlZCB3aXRoIHRoZSBzdGFuZGFyZCBCYXNlNjQgc3lzdGVtLiBHdWVzcyBob3cgY29tcGxpY2F0ZWQgaXQgbXVzdCBiZSB3aGVuIGEgcmVhbCBzdHJvbmcgYWxnb3JpdGhtIHdhcyB1c2VkLg==